Security vendor blames Amazon for customer malware

A security vendor claims Amazon Web Services provided a cloud-computing customer with an unpatched version of Windows that resulted in a malware infection.

A security vendor claims Amazon Web Services provided a cloud-computing customer with an unpatched version of Windows that resulted in a malware infection.

Bkav, a network security company based in Vietnam, started investigating the incident after the AWS customer complained that Bkav software had failed to catch the data-stealing malware.

Bkav claims that AWS, a division of e-retailer Amazon, initially handed the customer a version of Windows Server 2003 that had not been patched since October 2009. Over the last five years, 300 vulnerabilities have been reported in the operating system, according to CVE Details.

Bkav believes the OS was compromised before the customer had a chance to update the software, Ngo Tuan Anh, vice president of Internet security, wrote in the company's blog Wednesday.

Hackers continuously scan the Internet for vulnerabilities in servers, so it is possible they found the unpatched OS and infected it with malware as soon as it was turned on, Anh said.

When a company chooses Amazon's cloud-computing service, it selects a package of technologies, called an Amazon Machine Image (AMI), that is suppose to include a fully patched operating system, application server and applications. How Bkav's customer got unpatched software is not clear.

Amazon declined comment.

Bkav tested the cloud-computing services of Microsoft, Hewlett-Packard and GoGrid and claims to have found that Microsoft Azure was the only one consistently running updated versions of Windows. HP Public Cloud had some versions eight months out of data, while GoGrid had versions that had not been patched since April 2012, Bkav said.

GoGrid did not respond to a request for comment, but HP said its "cloud team closely examines our systems and sites for potential vulnerabilities, and remediates as needed."

"Also, it should be noted that HP consistently employs security controls and procedures to protect against potential attacks that target our systems and networks," the company said in a statement emailed to CSOonline.